Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FlavioB
New Contributor III

VPN in Failover configuration?

Hello everybody. I' ve set up a Fortigate 60C with Internet link on WAN1. On this link, I' m also doing an IPSec VPN tunnel to an other FGT60C (remote office). Now I have a second line, which I want to use as a failover (on WAN2). What I should configure is to have the same policies applied to WAN2, set the routing priorities and configure a ping host. But what do I have to do for the VPN to go up again when WAN1 would be down and WAN2 would become the main outgoing link? As far as I' ve seen, the VPN Phase 1 is bound to one interface only... Thanks in advance and kind regards, F.
5 REPLIES 5
emnoc
Esteemed Contributor III

The easy fix, would be to built 2 VPN tunnels with static routes and in interface route mode. Then yo can run both tunnels, just set the route priorities (distance) for the on side that you prefer and the correct fwpolicies. Make sure DPD is enable and have at it. With the fortigate, you can also run a dynamic routing protocol if so desired, but that would be more work. Good luck

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
FlavioB
New Contributor III

Hello emnoc. I' ve just been thinking about the same procedure: always have 2 open VPN tunnels (one on WAN1, one on WAN2) and simply have traffic being prioritised to go through the main (WAN1) link when up. One last question: what happens to running sessions in the VPN tunnel, when a WAN-Failover event would occur? Would they be cut-off? Thanks, F.
ede_pfau
SuperUser
SuperUser

Hi, have a look at the chapter " Redundant VPN connections" in the FortiOS Handbook, or the IPSec Guide. With a parameter that you set via CLI you can instruct a backup VPN to monitor the primary VPN, and step in if the primary fails (for whatever reasons, not only line failure).
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
emnoc
Esteemed Contributor III

What ede is refering to is the set monitor-phase1, this is similar to the juniper vpnmonitor feature. On the questions about the session states, I would assume since the sessions are already in the table, they would continue on. But when you build your redundant vpn tunnels, you can test this to see if it' s true.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ede_pfau
SuperUser
SuperUser

I disagree here. I think the design and intention of an IPSec tunnel is such that if a tunnel is going down all sessions across this tunnel are terminated instantly. If (by a redundant setup) a backup tunnel is built up then new sessions have to be established as sessions are tied to interfaces in the session table. I' d recommend to configure the tunnels to re-establish automatically (a phase1 parameter) instead of the regular traffic-driven build-up.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors